New law obliges banks to reimburse cyberfraud victims

Under Russia's new 'Antifraud 2.0 package' law, effective from 2027, banks will be legally required to reimburse customers for funds stolen through cyberfraud involving malware-compromised online banking applications.

To prevent such thefts, credit institutions are mandated to offer a malware check on a customer's device, with their explicit permission.

If malware is detected, the bank must reject the transaction, immediately inform the customer, and advise them to complete the transaction using a secure alternative device or by visiting a bank branch.

This measure aims to shift the financial burden of sophisticated cyberattacks from individual consumers to financial institutions, fostering greater security responsibility within the banking sector.

The law represents a significant step in enhancing consumer protection against evolving digital threats.

The legislation introduces a limit of 20 payment cards per individual across all banks, aiming to prevent fraudsters from using numerous cards for illicit money withdrawal.

A fraud information database will store an individual's data for one year upon first inclusion, and three years for subsequent entries, with early deletion possible if law enforcement closes the related criminal case.

Crucially, telecom operators will now face financial liability for failing to comply with antifraud requirements, mirroring the banking system's accountability for funds transfer security.

This includes detecting fraudulent calls and protecting individuals, with reimbursement responsibility falling on the non-compliant party.

The information exchange between banks and telecom operators via the Antifraud system will be further elaborated.